An improved lightweight anonymous user authenticated session key exchange scheme for Internet of Things

Due to the myriad applications of the Internet of Things (IoT) in various sectors like healthcare, military, industry, safety, etc., there is also a need to secure these systems efficiently. The devices in such networks need to provide services to users in a secure manner. User authentication is a mechanism through which we can provide secure communication between IoT devices. Recently Banerjee et al. outlined a lightweight anonymous user authenticated session key exchange scheme for Internet of Things deployment, which uses three-factor authentication of a user such as smart card, password and biometric. In this paper, we cryptanalyze their scheme and find that it is not secure against smart card loss attack and stolen verifier attack. Then we have proposed an improved scheme to overcome the weaknesses of their scheme. We present the formal security analysis of our scheme using the random oracle model and informal security analysis to show that our scheme is secure against many known attacks. Its formal security verification is carried out using ProVerif tool. Its performance analysis is carried out with the related schemes which shows that our scheme is more secure than other schemes. Also, our scheme does not contain any storage table at the gateway side for authentication.